One of the reasons people have preferred Windows NT—and now Windows 2000—to the Windows 9x platform has been the ability to set and manage file permissions more precisely and more conveniently. If you use the NT file system (NTFS), you can set file permissions at the local PC level in addition to the file-sharing permissions of the network environment.
But along with all this additional functionality comes complexity and the potential for all kinds of headaches for the network administrator. One harried manager wants to know why he can’t access the data on a colleague’s PC that he needs to assemble an important presentation; another can’t figure out why the intern from the mailroom was able to browse the files he thought he had secured. More options mean more chances for confusion and user error, and if you don’t have a thorough understanding of the various permissions and their relationships, it can be nearly impossible to sort out a permission problem and find a solution.
In this Daily Drill Down, I’ll review the file and folder permissions in Windows 2000. My next Daily Drill Down will cover NTFS permissions in Windows 2000. Finally, you can read an article that puts it all together: “Combining sharing and NTFS permissions in Windows 2000.” Once you understand Windows 2000 permissions and how they interact, you should be able to troubleshoot permission issues more quickly as they occur on your network.
Read the whole series
Look for parts two and three in the series coming soon on TechProGuild:
- “NTFS permissions in Windows 2000”
- “Combining sharing and NTFS permissions in Windows 2000”
In any Windows network environment (peer-to-peer or server-based), you can set sharing permissions for drives and folders. By default, when you set up a PC on a network, no drives or folders on that PC are shared. The local user of that PC can choose to share entire drives or individual folders on a drive. This type of security is not really that secure, however, because it affects only network access. Local access (that is, someone sitting down at the PC and logging on) is wide open.
For drives formatted with NTFS, you can set NTFS permissions. These can affect drives and folders and individual files, too. NTFS permissions affect local users as well as network users and are based on the permission granted to individual user logons, regardless of from where they are connecting. You also have a much wider variety of permissions to choose from with NTFS permissions, so you can more precisely control the rights being granted.
When sharing permissions and NTFS permissions conflict, the most restrictive of the two wins. For example, if someone has full access to a certain file from NTFS permissions but has no sharing permissions to the folder in which it resides, (s)he cannot access the file from the network. (S)He can, however, physically sit down at the local PC containing the file, log in, and access it, because sharing permissions do not affect local access.
Working with shared folders
Shared folders provide remote access to the files on a PC. Folder sharing is available on drives using all types of partitions: FAT, FAT32, or NTFS. It is also available not only in Windows 2000 but also in Windows NT and Windows 95/98/Me and even the old Windows 3.11 for Workgroups (although in a more rudimentary way in that OS).
To share any folders (or any printers, for that matter) on a Windows 2000 PC, File And Printer Sharing For Microsoft Networks must be installed as a networking component. To check for it, right-click My Network Places and choose Properties. Then right-click Local Area Connection and choose Properties. If File And Printer Sharing For Microsoft Networks does not appear on the list shown in Figure A, add it by clicking Install and choosing it from the Services category.
|File And Printer Sharing For Microsoft Networks must be installed in order to share folders over a network.|
After File And Printer Sharing For Microsoft Networks is in place, you can share individual drives and folders. Do so by right-clicking a drive or folder and choosing Sharing. The Sharing tab of the Properties dialog box opens.
Sharing is slightly different for drives versus files. With a drive, you might see a default share already set up. These have a $ following the share name, as in Figure B. Such shares are for administrative use only; ordinary users will not be able to see or browse a drive shared in this way on the network. Consequently, if you want to share an entire drive like this on your network, you must create an additional share for it.
|C$ is the default administrative share for this drive; it does not count as a user-to-user share.|
To create a new share for a drive, click the New Share button and then fill in the Share Name, any comment you want to make, and a user limit for concurrent usage (if desired). While you are there in the New Share dialog box (see Figure C), you can click the Permissions button to specify who will have access to the shared drive, or you can save that for later.
|Create a new share to allow other users to access the drive.|
For a folder, the process is more straightforward because there are no default administrative shares. By default, a folder is set to Do Not Share This Folder. To share it, choose the Share This Folder button and then enter a share name, comment, and user limit.
Regardless of whether you are sharing a folder or a drive, you can configure permissions the same way: Display the Sharing tab and click the Permissions button. A Permissions dialog box appears, as in Figure D. By default, all permissions are granted to everyone.
|Limit permission to the folder or drive if desired.|
If you plan to use NTFS permissions in conjunction with sharing permissions, you might want to leave the sharing permissions set at the default “free-for-all” settings and rely on the NTFS permissions to lock down certain sensitive items. However, if you aren’t going to use NTFS permissions, or if you can’t because the drive is FAT or FAT32, you might want to restrict access at the sharing level.
Note in Figure D that there are three types of sharing permissions:
- Read: Users can display the contents of the folder, open files, display attributes, and run programs.
- Change: Users have all the rights of Read plus the ability to create new folders and files within the shared folder or drive, open and change files, change file attributes, and delete folders and files.
- Full Control: Users have all of the rights of Change plus the ability to take ownership of files and change file permissions.
Everything within a shared drive or folder inherits its sharing permissions. For example, if a shared drive has 10 folders, all of those folders have the same sharing permissions as the drive unless they are set otherwise. Permissions are cumulative, which means in the event of a conflict between a specific folder’s permissions and those it has inherited from the drive (or parent folder), the most lenient wins. For example, if you allow Read access on a folder but do not allow Change or Full Control on that folder but the drive itself allows Full Control, that folder will also have Full Control access permitted.
For each setting (Read, Change, and Full Control), you can choose the option to Allow or Deny. The default is set to Allow. If you don’t want to allow a particular permission, you simply deselect the Allow checkbox. “Disallowing” something (that is, turning off Allow permissions for it) takes away that right but enables the folder to inherit permissions from the parent folder or drive.
Tip: Don’t Deny
The Deny option should only be used sparingly, because it overrides any more lenient permissions. For example, if you set Read access for a folder to Deny and the drive on which the folder resides allows Full Control, everything on that drive will have Full Control access except for that folder, which will have no access at all.
When you share a folder or drive, there is only one group with permissions assigned by default: the Everyone group. That means all users will have the same permission rights to the object, regardless of any group affiliation. You can delete the Everyone group from the list and/or add other groups or individuals to its permissions list. You might, for example, delete the Everyone group from the list entirely or leave it there and set it to allow Read permission only and then add the Administrators group to the list and grant that group Full Control.
To add a group or user to the permissions list for an object, start from the Permissions dialog box (Figure D); click the Add button; choose the user or group you want in the Select Users, Computers, Or Groups box (Figure E); and click the Add button. When you’re finished, click OK to return to the Permissions dialog. The users and groups you chose will appear on the Permissions list, ready to have their permission levels set.
|Specify other users or groups besides Everyone to receive permissions.|
Here are some tips for using sharing permissions effectively:
- Grant only the permissions that a group or user needs; disallow all others. In most cases, Change permission is all a user needs for a drive or folder. Change enables users to run programs, edit files, and so on.
- Do not allow Full Control for a drive to the Everyone group. If certain users must have complete control of a drive, assign Full Control to a particular group or create a group for that purpose.
- Do not use the Deny option unless you have a specific reason to do so. It’s easy to forget that you’ve used the Deny option and spend fruitless hours troubleshooting a file access issue because of it.
- Assign sharing permissions to groups rather than individuals, to minimize administrative work.
- Use descriptive share names to help users locate the shared drives or folders they want.
- Group folders that need to have the same sharing permissions assigned in a single folder together and then assign the permissions to the parent folder.
In this Daily Drill Down, you learned to configure file-sharing permissions for groups and individuals. You learned how permissions are inherited and what happens when file and folder permissions conflict.